General Requirements for Automated Teller Machines (ATMs)

Automated Teller Machines (ATMs) are cardholder-activated terminals that provide clients of financial institutions with access to their accounts and the ability to process financial transactions without the need for a bank clerk. Customers identify themselves at an ATM by inserting an ATM card into the terminal and entering a preselected personal identification number (PIN). The information is then verified with the card issuer and the cardholder is allowed to proceed with the transaction.

As with all other types of cardholder-activated terminals, ATM requirements specify the maximum dollar amount of transactions allowed, as well as authorization, clearing, chargeback, and transaction liability. The following specific requirements apply:

The ATM must accept a personal identification number (PIN) as a substitute for signature.

If PIN is not adopted as a standard within a country or card issuers have not provided one, this type of service is not available.

The PIN authorization must be made via a secured data transmission.

ATM terminals must be able to support numeric, alpha, or alphanumeric PINs with a minimum length of four digits.

The merchant’s processing bank may decline a transaction after four attempts and four consecutive negative responses of “invalid PIN” or “invalid transaction” from the credit card network. Alternatively, the processing bank may allow more than four consecutive PIN entry attempts that each received a negative response at an ATM.

All transactions, regardless of the amount, must be authorized on a zero floor limit basis with full, unaltered card-read data transmitted.

Card retention at an ATM is not required. However, if the terminal has that capability, the merchant may do so only at the card issuer’s specific direction.

The retained card must be logged and secured under applicable audit controls.

The retained card must be cut in half and then returned to the merchant’s processing bank.

For transactions processed at ATMs where a PIN and full, unaltered card data is transmitted, “No Cardholder Authorization” chargeback rights are not available to card issuers because PIN is a valid substitute for the cardholder’s signature.

An ATM that is also a hybrid terminal may perform fallback procedures unless it is specifically prohibited by local regulations. Processing banks use fallback procedures when a smart card is present at a hybrid terminal and the merchant processes the transaction by using the magnetic stripe or by manually entering the account number, because the merchant cannot process the transaction using smart card technology.